Malware News Linux Trojan Mines for Cryptocurrency Using Misconfigured Redis Database Servers

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Security researchers have discovered a new self-propagating trojan targeting Linux systems, which uses unsecured Redis database servers to spread from system to system.

Discovered by Russia-based antivirus maker Dr.Web, the trojan, named Linux.Lady, is one of the few weaponized Go-based malware families.

Researchers say that Linux.Lady is written using Google's Go programming language and mostly relies on open source Go libraries hosted on GitHub.

Over 30,000 Redis servers may be vulnerable
The trojan infects systems by connecting to misconfigured Redis database servers for which administrators have forgotten to set a password. According to a recent Risk Based Security report, there are over 30,000 Redis servers available online without a password.

The initial entry point is not the Linux.Lady trojan, but a smaller trojan called Linux.DownLoader.196, which, in turn, downloads the main payload after securing a foothold on the infected machine.

After the smaller trojan launches Linux.Lady into execution, this latter malware collects information about the infected system and sends it to a C&C server.

The collected data includes details such as the computer's current Linux version, the Linux OS family name, the number of CPUs, the number of running processes, and their names.

Linux.Lady mines for the Monero digital currency
Once the C&C server is informed of the creation of a new bot, it sends over a configuration file, which Linux.Lady uses to start a cryptocurrency mining program that generates digital currency for the crook's account.

The trojan mines for a cryptocurrency named Monero, the same one used by the author of the PhotoMiner worm that self-propagated through vulnerable FTP servers.

Just like PhotoMiner, Linux.Lady comes with self-propagation features. The trojan includes a function that detects the IP address of the infected computer, scans the local network, and probes for other vulnerable Redis servers that don't feature a password on the admin account.

Once it finds one, the infection process starts from zero, authenticating on the Redis server, downloading Linux.DownLoader.196 and adding it to a cron job.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top